[Bug] "Disable sign-in" also disables API requests using existing token

[KaKi87]

• Gitea version (or commit ref): 1.12.4
• Git version: 2.20.1
• Operating system: Debian 10
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

Disable sign-in is an option that prevents login attempts to an account.
But this option, when enabled, also blocks API requests.
Considering that an API call is made with a token that have been previously generated, then it's technically not a login action.
Therefore, I'm asking for API calls to be allowed when this option is enabled.

My use case : I needed a bot account for a project that generates Gitea issues from Sentry SDKs.
So, I created a user account with a random 64 all-type characters password that I only used once and din't saved, in order to generate an API token that I saved in one place : the project's configuration file.
Then I'd like to disable login on the account so that no one gets tempted to try cracking it.

Although I didn't tried it, I think that if enabling Disable sign-in also blocks previously created and non-expired session tokens, this blocking should also be removed.

The right solution, that actually exists, to implement these behaviors, is disabling the account by unchecking the User Account Is Activated option.

Screenshots

When Disable sign-in is enabled :

When Disable sign-in is disabled :

Thanks !

[lunny]

It's by design. Disable or not, it's a problem. Maybe we need a new option named Disable API.

[KaKi87]

I don't understand how is an API request a login action ?

[zeripath]

Using a token is a login action - with a token you can do almost anything that you can do with a password.

What you mean is that you want to disable non-token authentication.

[KaKi87]

Using a token is a login action

How so ?
Isn't generating the token a login action ?